[Update: OpenVPN is working again with no configuration changes - after killing the user who was running ettercap.]

I’ve been using OpenVPN to provide secure wireless for a group of around 200 students here, of which around 60 frequently use it.

It was running fine for the last few months, but started doing weird stuff on friday. Dear Lazyweb, I’m lost at debugging the cause…

I’ve eliminated the wireless links as possible cause, so here is the simplified setup:

User #1 | -- openvpn  -- | tap0 \                 eth1 | -- DMZ net
                                |- br0  Firewall
User #2 | -- ethernet -- | eth0 /                 eth2 | -- internet

So the firewall host has three ethernet interfaces, one of which is bridged together with the OpenVPN in tap mode.

Everything works just fine for User #2. The firewall rules used all use only br0 as device, and a netmask both User #1 is in and User #2. Rule counter in iptables verify that the firewall is working correctly.

User #1 can:

  • access hosts in the DMZ network perfectly all the time
  • access the internet fine for like 2 seconds
  • ping the internet

After these two seconds, packets start being retransmitted; some of the retransmissions will then arrive at the client, but rarely enough to actually receive a simple website.

I am not aware of any changes to the client or server OpenVPN configurations. The latest changes (according to SVN) in the firewall rules were completely unrelated “accept” rules… (and the retransmissions arrive, so…)

Any hint? Some MTU issue maybe? Maybe “upstream” routers increased their MTU, now the packets are hitting some triggers? But why would it work for 2 seconds then each time openvpn on the client is restarted?